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1.Your Aruba CX 6300 VSF stack has OSPF adjacency over SVI 10 with LAG 1to a 
neighboring device. 
The following configuration was created on the switch: 


vlan 20,30, 4¢ 
address 10.10.20.1/24 


= = = = 


a 
ip address 10.10.39.1/ 


L] 
NO 
aba 


vian 20, 30,40 © 
ospf passive” 
B) KA 


Paa 
interface vian 20,30,40 
ip ospf passive 


router ospf 1 

area U 

passive-interface 
vlan 20.30.40 


D) 


router ospf 1 
area 0 
redistribute local KI 


A. Option A 
B. Option B O 
C. Option C O 

D. Option D <° 
Answer: C «O 
Explanation: Na 
The correct configuration for OSPF adjaceng? over SVI 10 with LAG 1 to a 
neighboring device is shown in Option C. 

The configuration includes the following Steps: 

“ Create a VLAN 10 and assign it me and an IP address. 

“ Create a LAG 1 and assign it a and a mode of dynamic or static. 

* Add member ports to LAG 14nd enable the LAG interface. 

* Assign VLAN 10 as the untagged VLAN for LAG 1. 

* Enable OSPF on thes ch and assign it a router ID. 

* Create an OSPF agg@ 0 and add SVI 10 as an interface in that area. 

Option A is incorr because it does not enable OSPF on the switch or create an 
OSPF area. Opéfon B is incorrect because it assigns VLAN 10 as the tagged VLAN for 
LAG 1, which is not compatible with SVI 10. 

Option D is incorrect because it does not add member ports to LAG 1 or enable the 
LAG interface. 

References: 
https://techhub.hpe.com/eginfolib/Aruba/OS-CX_10.04/5200-6692/GUID-BD3E0A5F- 
FE4C-4B9B-BE1D-FE7D 
https://techhub.hpe.com/eginfolib/Aruba/OS-CX_10.04/5200-6692/GUID-BD3E0A5F- 
FE4C-4B9B-BE1D-FE7D 


2.The customer needs a network hardware refresh to replace an aging Aruba 5406R 
core switch pair using spanning tree configuration with Aruba CX 8360-32YC 
switches. 
What is the benefit of VSX clustering with the new solution? 
A. stacked data-plane 
B. faster MSTP converge processing 
C. dual Aruba AP LAN port connectivity for PoE redundancy 
D. dual control plane provides better resiliency 
Answer: D 
Explanation: 
VSX clustering is a feature that allows two Aruba CX switches to operate as a single 
logical device, providing high availability, scalability, and simplified management. 
VSX clustering has several benefits over spanning tree configuration, such as: 
“ Dual control plane provides better resiliency. Unlike stacking, whege?switches share 
a single control plane, VSX switches have independent control plahes that 
synchronize their states over an inter-switch link (ISL). This s that if one switch 
fails or reboots, the other switch can continue to operate Without affecting traffic flows 
or network services. o 
* Active-active forwarding provides better performan Unlike spanning tree, where 
some links are blocked to prevent loops, VSX switghes use all available links for 
forwarding traffic, providing load balancing andi reased bandwidth utilization. 
* Multichassis LAG provides better redunda NA Unlike single-chassis LAG, where all 
member ports belong to one switch, VSX switches can form multichassis LAGs with 
downstream or upstream devices, where member ports are distributed across both 
switches. This provides link redundągfêy and seamless failover in case of switch or 
port failure. o° 
References: https://www.arubagBtworks.com/assets/tg/TG. VSX.pdi 
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3. You need to ensureiat voice traffic sent through an ArubaOS-CX switch arrives 
with minimal latenog What is the best scheduling technology to use for this task ? 
(Select two.) @ 

A. Voice VLANS can be automatically configured for VoIP phones 

B. APs can request power as needed from PoE-enabled switch ports 

C. iSCSI client devices can request to have flow control enabled 

D. GVRP VLAN information can be used to dynamically add VLANs to a trunk 

E. iSCSI client devices can set the required MTU setting for the port. 

Answer: AB 

Explanation: 

These are two benefits enabled by LLDP-MED (Link Layer Discovery Protocol - 
Media Endpoint Discovery). 

LLDP-MED is an extension of LLDP that provides additional capabilities for network 
devices such as VoIP phones and APs. One of the capabilities is to automatically 


configure voice VLANs for VoIP 

phones, which allows them to be placed in a separate VLAN from data devices and 

receive QoS and security policies. 

Another capability is to request power as needed from PoE-enabled switch ports, 

which allows APs to 

adjust their power consumption and performance based on the available power 

budget. The other 

options are incorrect because they are either not enabled by LLDP-MED or not 

related to LLDP-MED. 

References: 

https://www.arubanetworks.com/techdocs/ArubaOS 86 Web Help/Content/arubaos- 

solutions/wlan-qos/lldp-me 

https://www.arubanetworks.com/techdocs/ArubaOS 86 Web Help/CQntent/arubaos- 

solutions/wlan-rf/poe.htm Ka 

8 
gt 

4.A company deployed Dynamic Segmentation with their QS switches and Gateways 

After performing a security audit on their network, they discovered that the tunnels 

built between the CX switch and the Aruba Gateway, afe not encrypted. The company 

is concerned that bad actors could try to insert spapfed messages on the Gateway to 

disrupt communications or obtain information a ut the network. 

Which action must the administrator pertorrag address this situation? 


A. Enable Secure Mode Enhanced ° 
B. Enable Enhanced security KO 
C. Enable Enhanced PAPI security 0? 
D. Enable GRE security o 
Answer: C KA 

KA 


O 

AN 
5.What is true regardi 802.11k? 
A. It extends radio @ñëasurements to define mechanisms for wireless network 
management ofetations 
B. It reduces roaming delay by pre-authenticating clients with multiple target APs 
before a client roams to an AP 
C. It provides mechanisms for APs and clients to dynamically measure the available 
radio resources. 
D. It considers several metrics before it determines if a client should be steered to the 
5GHz band, including client RSSI 
Answer: AC 


6.What is an Aruba-recommended best practice for hardening that only applies to 
Aruba CX 6300 series switches with dedicated management ports? 


A. Implement a control plane ACL to limit access to approved IPs and/or subnets 

B. Manually enable Enhanced Security Mode from a console session. 

C. Disable all management services on the default VRF. 

D. Create a dedicated management VRF, and assign the management port to it. 
Answer: D 

Explanation: 

This is an Aruba-recommended best practice for hardening that only applies to Aruba 
CX 6300 series switches with dedicated management ports. A dedicated 
management port is a physical port that is used exclusively for out-of-band 
management access to the switch. A dedicated management VRF is a virtual routing 
and forwarding instance that isolates the management traffic from other traffic on the 
switch. By creating a dedicated management VRF and assigning the management 
port to it, the administrator can enhance the security and performance, @f the 
management access to the switch. The other options are incorrect petause they 
either do not apply to switches with dedicated management portsz6r do not follow 


Aruba-recommended best practices. e? 
References: AY 
https://www.arubanetworks.com/assets/ds/DS AOS-C on 


https://www.arubanetworks.com/assets/tg/TB_Aruba@X_Switching.paf 
2 

> 

7.A customer is using stacked Aruba CX ea CX 6300 switches for access and 

a VSX pair of Aruba CX 8325 as a collapsgt core 802 1X is implemented for 

authentication. Due to the lack of cabling some unmanaged switches are still in use 

Sometimes devices behind these swiféhes cause network outages The switch should 

send a warning to the helpdesk when the problem occurs You have been asked to 

implement an effective solution,f the problem. 

What is the solution for this?’ 

A. Configure spanning tre@ on the Aruba CX 8325 switches Set the trap-option 

B. Configure loop proi8Etion on all edge ports of the Aruba CX 6200 and CX 6300 

switches No trap oton is needed 

C. Configure lo “rotection on all edge ports of the Aruba CX 6200 and CX 6300 

switches Set up the trap-option 

D. Configure spanning tree on the Aruba CX 6200 and CX 6300 switches No trap 

option is needed 

Answer: C 

Explanation: 

This is the correct solution to the problem of devices behind unmanaged switches 

causing network outages due to loops. Loop protection is a feature that allows an 

Aruba CX switch to detect and prevent loops by sending loop protection packets on 

each port, LAG, or VLAN on which loop protection is enabled. If a loop protection 

packet is received by the same switch that sent it, it indicates a loop exists and an 

action is taken based on the configuration. Loop protection should be configured on 


all edge ports of the Aruba CX 6200 and CX 6300 switches, which are the ports that 
connect to end devices or unmanaged switches. The trap-option should be set up to 
send a warning to the helpdesk when a loop is detected. The other options are 
incorrect because they either do not configure loop protection or do not set up the trap- 
option. 

References: 

https://www.arubanetworks.com/techdocs/AOS- 
CX/10.05/HTML/5200-7540/GUID-99A8B276-0DA3-4458-AF 
https://www.arubanetworks.com/techdocs/AOS-CX/10.05/HT ML/5200-7540/GUID- 
D8613BDE-CD21-4B83-85 


8.Which feature supported by SNMPv3 provides an advantage over SNMPv2c? 
A. Transport mapping o 
B. Community strings 
C. GetBulk KO 
D. Encryption Pa 
Answer: D o 

; $ 
Explanation: we 
Encryption is a feature supported by SNMPv3 thatprovides an advantage over 
SNMPv2c. Encryption protects the confidentiality and integrity of SNMP messages by 
encrypting them with a secret key. SY 
SNMPv2c does not support encryption anglies on community strings for 
authentication and authorization, whic Te transmitted in clear text and can be easily 
intercepted or spoofed. Transport mapping, community strings, and GetBulk are 
features that are common to both G@NMPv2c and SNMPv3. 
References: a 
https://www.arubanetworks,6@m/techdocs/ArubaOS_86_Web_Help/Content/arubaos- 
solutions/snmp/snmp.htra& 
https://www.arubanetwhrks.com/techdocs/ArubaOS_86_Web_Help/Content/arubaos- 
solutions/snmp/snngv3.htm 


"3: 
9.You are configuring Policy Based Routing (PBR) for a subnet that will be used to 
test a new default route for your network Traffic originating from 10.2.250.0/24 should 
use a new default route to 10.1.1.253. Other non-default routes for this subnet should 
not be affected by this change. 


What are two parts of the solution for these requirements? (Select two.) 
A) 


pdr-action-list def route test 
default-nexthop 10.1.1.253/24 


B) 


class ip test subnet 

10 match any 10 2 250 0/24 any 
policy def route test policy 

10 class ip test subnet action pbr def route test 
interface vian 100 

ip address 10 2.250 0/24 


apply policy pbr. test routed in 


C) 


class ip test subnet 

10 match any 10.2 250 0 255 255 255.0 any 
policy def route test policy 

10 class ip ip test subnet action pbr def route test 
interface vian 100 
ip address 10 2 250 0/24 
apply policy pbr test routed out 

psi 
N 


S 


N 
pbr-action-list def route test 
default-nexthop 10.1.1.253 
interface null 


D) 


E) 

pbr-action-list def route test 
nexthop 10.1.1.253 
interface null 


A. Option A 
B. Option B 
C. Option C 
D. Option D 
E. Option E 
Answer: CE 


10.Two AOS-CX switches are configured with VSX at the the Access-Aggregation 
layer where servers attach to them An SVI interface is configured for VLAN 10 and 
serves as the default gateway for VLAN 10. The ISL link between the switches fails, 
but the keepalive interface functions. Active gateway has been conn gao? on the VSX 


switches. PA 


E3 == E3 


LAG 101 LAG 102| 


KeepAlive VRF |_| 
M 


Server 2 


Server 1 


What is correct about access from the servers to the Core? (Select two.) 
A. Server 1 can access the core layer via the keepalrve link 


B. Server 2 can access the core layer via the keepalive link 

C. Server 2 cannot access the core layer. 

D. Server 1 can access the core layer via both uplinks 

E. Server 1 and Server 2 can communicate with each other via the core layer 

F. Server 1 can access the core layer on only one uplink 

Answer: D E 

Explanation: 

These are the correct statements about access from the servers to the Core when the 
ISL link between the switches fails, but the keepalive interface functions. Server 1 can 
access the core layer via both uplinks because it is connected to VSX-A, which is still 
active for VLAN 10. Server 2 can also access the core layer via its uplink to VSX-B, 
which is still active for VLAN 10 because of Active Gateway feature. Server 1 and 
Server 2 can communicate with each other via the core layer becauseghey are in the 
same VLAN and subnet, and their traffic can be routed through the Wre switches. 
The other statements are incorrect because they either describe gtenarios that are 


not possible or not relevant to the question. Ko 
References: https://www.arubanetworks.com/techdocs/AO 
CX/10.04/HTML/5200-6728/bk01- ro 
we 
eo 
11.What is an OSPF transit network? 


N 
A. a network that uses tunnels to connect typitreas 
B. a special network that connects two difigrent areas 
C. a network on which a router discovers*at least one neighbor 
D. a network that connects to a diffegént routing protocol 

; o 
Answer: C ° 
Explanation: KA 
A. a network that uses tun Afto connect two areas - This is not the standard 
definition of a transit net N. in OSPF. While tunnels can be used in OSPF for 
various purposes (egéOSPF virtual links), they are not specifically what defines a 
transit network.  @& 
B. a special nagba that connects two different areas - While an OSPF network might 
connect two areas, particularly if it's an Area Border Router (ABR), this doesn't define 
what a transit network is. Any OSPF-enabled network segment where routers form 
adjacencies and forward data can be a transit network, irrespective of areas. 
D. a network that connects to a different routing protocol - This is describing a 
boundary where OSPF interfaces with another routing protocol, typically managed 
using redistribution. This isn't what defines a transit network in OSPF. 


12.Which Aruba AP mode is sending captured RF data to Aruba Central for waterfall 
plot? 
A. Hybrid Mode 


B. Air Monitor 
C. Spectrum Monitor 
D. Dual Mode 
Answer: C 
Explanation: 
Spectrum Monitor is an Aruba AP mode that is sending captured RF data to Aruba 
Central for waterfall plot. 
Spectrum Monitor is a mode that allows an AP to scan all channels in both 2.4 GHz 
and 5 GHz bands and collect information about the RF environment, such as 
interference sources, noise floor, channel utilization, etc. The AP then sends this data 
to Aruba Central, which is a cloud-based network management platform that can 
display the data in various formats, including waterfall plot. Waterfall plot is a 
graphical representation of the RF spectrum over time, showing the frequency, 
amplitude, and duration of RF signals. The other options are incorreét because they 
are either not AP modes or not sending RF data to Aruba wa 
References: 
https://www.arubanetworks.com/techdocs/ArubaOS 86 ng Peron ee 
solutions/1-overview/spect 
https://www.arubanetworks.com/techdocs/ArubaOS 88 “Web | Help/Content/arubaos- 
solutions/1 -overview/water Po 
https://www.arubanetworks. comiproducts/netwea management-operations/aruba- 

central/ NG 

NG 


° 
oe 

13.You need to create a keepalive ngfwork between two Aruba CX 8325 switches for 

VSX configuration How should yo@establish the keepalive connection? 

A. SVI, VLAN trunk allowed a all Ñ ISL i in default VRF 

B. routed port in custom VRÉ 

C. loopback 0 and OSPR Brea 0 in default VRF 

D. SVI, VLAN trunk algwed all on ISL in custom VRF 

Answer: B 28 

Explanation: K 

To establish a Repalive connection between two Aruba CX 8325 switches for VSX 

configuration, you need to use a routed port in custom VRF. A routed port is a 

physical port that acts as a layer 3 interface and does not belong to any VLAN. A 

custom VRF is a virtual routing and forwarding instance that provides logical 

separation of routing tables. By using a routed port in custom VRF, you can isolate 

the keepalive traffic from other traffic and prevent routing loops or conflicts. The other 

options are incorrect because they either do not use a routed port or do not use a 

custom VRF. 

References: 

https://www.arubanetworks.com/techdocs/AOS- 

CX/10.04/HTML/5200-6728/bk01-ch07.html 


https://www.arubanetworks.com/techdocs/AOS- 
CX/10.04/HTML/5200-6728/bk01-ch02.html 


14.Which method is used to onboard a new UXI in an existing environment with 802 
1X authentication? (The sensor has no cellular connection) 

A. Use the UXI app on your smartphone and connect the UXI via Bluetooth 

B. Use the Aruba installer app on your smartphone to scan the barcode 

C. Connect the new UXI from an already installed one and adjust the initial 
configuration. 

D. Use the CLI via the serial cable and adjust the initial configuration. 

Answer: A 


KA 
15.How is Multicast Transmission Optimization implemented in gore Aruba 
wireless network? 
A. "The optimal rate for sending multicast frames is based gn he highest broadcast 


rate across all associated clients Ki 
B. When this option is enabled the minimum default aŠ for multicast traffic is set to 


12 Mbps for 5 GHz o 
C. The optimal rate for sending multicast framogys based on the lowest broadcast 
rate across all associated clients. KY 


D. The optimal rate for sending multicast kies i is based on the lowest unicast rate 
across all associated clients. O 
x 
Answer: D KA 
° 


E 


16.You need lo have differgf##routing- -table requirements with Aruba CX 6300 VSF 
configuration Assuming correct layer-2 VLAN already exists how would you create 
a new OSPF configurgfion for a separate routing table? 

A. Create a new OSPF area, and attach VRF name. 

B. Create a ge process ID with vrf name. 

C. Attach a new OSFP process ID with a custom routing table 

D. Attach OSPF process ID in the VRF configuration. 

Answer: B 

Explanation: 

To create a new OSPF configuration for a separate routing table, you need to create 
a new OSPF process ID with vrf name. This will create a new OSPF instance that is 
associated with the specified VRF and its routing table. The other options are 
incorrect because they either do not create a new OSPF instance or do not associate 
it with a VRF. 

References: 

https://www.arubanetworks.com/techdocs/AOS- 


CX/10.04/HTML/5200-6728/bk01-ch02.html 
https://www.arubanetworks.com/techdocs/AOS- 
CX/10.04/HTML/5200-6728/bk01-ch03.html 


17.A customer has a large number of food-producing machines 

* All machines are connected via Aruba CX6200 switches in VLANs 100.110. and 120 
* Several external technicians are maintaining this special equipment 

What are the correct commands to ensure that no rogue DHCP server will impact the 
network? 

A) 


dhcp-snooping enable 
no dhcp-snooping option 82 
dhcp-snooping vlan 100-120 
vian 100 

name cornflakes 
vian 110 

name cornmill 
vlan 120 

name packaging 


interface lag 1 
no shutdown 
description Uplink-to-Core 
no routing 
vian trunk native 1 
vian trunk allowed all 
lacp mode active 
dhcp-snooping trust 


dhcp snooping enable 
no dhcp-snooping option 82 
vian 100 
name cornflakes 
ahcp-snooping 
vian 110 
name cornmill 
ahcp-snooping 
vian 120 
name packaging 


. : £ 
dhcp-snooping F 
AY 


interface lag 1 < 
no shutdown 
description Uplink-to-Cor 
no routing 
vlan trunk native 1 
vlan trunk allowed all 
lacp mode active 
dhcp snooping trust 


dhcpv4-snooping all vlans 
no dhcpv4-snooping option 8. 
Interface lag 1 
no shutdown 
description Uplink-to-Core 
no routing 
vian trunk native 1 
vlan trunk allowed all 
lacp mode active 
dhcpv4-snooping trust 


dhcpv4-snooping 
no dhcpv4-snooping option 82 
vian 100 
name cornflakes 
dhcpv4-snooping 
vlan 110 
name cornmill 
dhcpv4-snooping ° 
vlan 120 e 
name packaging <Š 
dhcpv4-snooping $ 
interface lag 1 
no shutdown 
description Uplink-to-Core 
no routing 
vian trunk native 1 
vian trunk allowed all 
lacp mode active 
ahcpv4-snooping trust 
o 
A. Option A 
B. Option B 
C. Option C 
D. Option D 
Answer: A 
Explanation: 
Option A shows the correct commands to ensure that no rogue DHCP server will 
impact the network. 


The commands include the following steps: 
“ Enable DHCP snooping on the switch. DHCP snooping is a feature that prevents 


rogue DHCP servers from offering IP addresses to clients by filtering DHCP 
messages based on trusted and untrusted ports1. 

* Configure VLANs 100, 110, and 120 as DHCP snooping VLANs. This means that 
DHCP snooping will be applied to these VLANs and any untrusted DHCP messages 
received on these VLANs will be dropped1. 

* Configure LAG 1 as a trusted port for DHCP snooping. This means that any DHCP 
messages received on LAG 1 will be allowed and not filtered by DHCP snooping. 

LAG 1 is assumed to be connected to a legitimate DHCP server or a router that relays 
DHCP requests to a legitimate DHCP server1. 

Option B is incorrect because it does not enable DHCP snooping on the switch or 
configure VLANs 100, 110, and 120 as DHCP snooping VLANs. Option C is incorrect 
because it does not configure LAG 1 as a trusted port for DHCP snooping. Option D 
is incorrect because it does not enable DHCP snooping on the switch ng configure 
LAG 1 as a trusted port for DHCP snooping. 

References: 1 https://techhub.hpe.com/eginfolib/Aruba/OS- 
CX 10.04/5200-6692/GUID-BD3E0A5F-FE4C-4B9B-BE1D-E 


KO 


18.In an ArubaOS 10 architecture using an AP and PA what happens when a 
client attempts to join the network and the WLAN ig.configured with OWE? 
A. Authentication information is not Sx CHANCED 


Ñ 
eo 
Q 


B. The Gateway will not respond. O 

SAUL Q 
C. No encryption is applied. o 
D. RADIUS protocol is utilized. oO 

x 
Answer: A e 
: e 

Explanation: 


This is the correct statemen naga what happens when a client attempts to Join the 
network and the WLAN is igured with OWE (Opportunistic Wireless Encryption). 
OWE is a standard that S ides encryption for open networks without requiring any 
authentication or credéhtials from the client or the network. OWE uses a Diffie- 
Hellman key excha@ge mechanism to establish a secure session between the client 
and the AP wit aft exchanging any authentication information. The other options are 
incorrect because they either describe scenarios that require authentication or 
encryption methods that are not used by OWE. 

References: 

https://www.arubanetworks.com/assets/wp/WP WiFi6.pdf 
https://www.arubanetworks.com/assets/ds/DS AP510Series.pdf 


19.Describe the difference between Class of Service (CoS) and Differentiated 
Services Code Point (DSCP). 

A. CoS is only used to determine CLASS of traffic DSCP is only used to differentiate 
between different Classes. 


B. CoS is only contained in VLAN Tag fields DSCP is in the IP Header and preserved 
throughout the IP packet flow 
C. They are similar and can be used interchangeably. 
D. CoS has much finer granularity than DSCP 
Answer: B 
Explanation: 
CoS and DSCP are both methods of marking packets for quality of service (QoS) 
purposes. QoS is a mechanism that allows network devices to prioritize and 
differentiate traffic based on certain criteria, such as application type, source, 
destination, etc. CoS stands for Class of Service and is a 3-bit field in the 802.1Q 
VLAN tag header. CoS can only be used on Ethernet frames that have a VLAN tag, 
and it can only be preserved within a single VLAN domain. DSCP stands for 
Differentiated Services Code Point and is a 6-bit field in the IP header ,DSCP can be 
used on any IP packet, regardless of the underlying layer 2 technolegy, and it can be 
preserved throughout the IP packet flow, unless it is modified by termediate devices. 
References: gy 
htips://www.cisco.com/c/en/us/td/docs/ios-xmIMos/qos/configuration/ 15-mt/qos-15-mt- 
book/qos-overview.html Ki 
https://www.cisco.com/c/en/us/support/docs/lan-swi g/8021q/17056-741-4.html 
https://www.cisco.com/c/en/us/support/docs/qualitysof-service-qos/qos-packet- 
marking/10103-dscpvalues.html D 

D 

N 
20.A customer is using a legacy appli abn that communicates at layer-2. The 
customer would like to keep this appséation working across the campus which is 
connected via layer-3. The ega Yves are connected to Aruba CX 6300 switches 
throughout the campus. a 
Which technology minimizeslooding so the legacy application can work efficiently? 
A. Generic Routing Encapsulation (GRE) 
B.EVPN-VXLAN <^ 
C. Ethernet over IRXEOIP) 
D. Static VXLAN9Y 
Answer: B $ 
Explanation: 
EVPN-VXLAN is a technology that allows layer-2 communication across layer-3 
networks by using Ethernet VPN (EVPN) as a control plane and Virtual Extensible 
LAN (VXLAN) as a data plane3. EVPN-VXLAN can be used to support legacy 
applications that communicate at layer-2 across different campuses or data centers 
that are connected via layer-3. EVPN-VXLAN minimizes flooding by using BGP to 
distribute MAC addresses and IP addresses of hosts across different VXLAN 
segments3. EVPN-VXLAN also provides benefits such as loop prevention, load 
balancing, mobility, and scalability3. 
References: https://www.arubanetworks.com/assets/tg/TG EVPN VXLAN.pdf 


21.A network engineer recently identified that a wired device connected to a CX 
Switch is misbehaving on the network To address this issue, a new ClearPass policy 
has been put in place to prevent this device from connecting to the network again. 
Which steps need to be implemented to allow ClearPass to perform a CoA and 
change the access for this wired device? (Select two.) 

A. Confirm that NTP is configured on the switch and ClearPass 

B. Configure dynamic authorization on the switch. 

C. Bounce the switchport 

D. Use Dynamic Segmentation. 

E. Configure dynamic authorization on the switchport 

Answer: AB < 
Explanation: Ka 
To allow ClearPass to perform a CoA and change the access fo guro device, the 
following steps need to be implemented: 

“ Confirm that NTP is configured on the switch and Gear Pass. NTP is required to 
synchronize the time between the switch and JAO ich is essential for CoA 
messages to be processed correctly1. 

* Configure dynamic authorization on the switch. namic authorization is a feature 
that enables the switch to accept CoA messages trom a RADIUS server and apply 
them to existing sessions2. Dynamic authorjgaition can be enabled globally or per port 
on the switch2. o~ 

* Optionally, configure dynamic auihoggaion on the switchport. This step is not 
required, but it can provide more gr lar control over which ports can accept CoA 
messages from a RADIUS server® Bouncing the switchport or using Dynamic 
Segmentation are not necessasy steps for allowing ClearPass to perform a CoA and 
change the access for a wiréa device. 

References: O 

1 https://www. arubanefiibrs. com/techdocs/ClearPass/6.7/Aruba DeployGd HTML/ 
Content/Aruba Congiblle 

2 https://www. nus .com/techdocs/AOS-CX/10.04/HTML/5200-6692/GUID- 
BD3E0A5F-FE4C-4B9B-B 


22.You are doing tests in your lab and with the following equipment specifications 

“ AP1 has a radio that generates a 10 dBm signal 

“ AP2 has a radio that generates a 11 dBm signal 

“ AP1 has an antenna with a gain of 9 dBi 

“ AP2 has an antenna with a gain of 12 dBi. 

“ The antenna cable for AP1 has a 2 dB loss 

“ The antenna cable for AP2 has a 3 dB loss 

What would be the calculated Equivalent Isotropic Radiated Power (EIRP) for APT? 


A. 26 dBm 

B. 30 dBm 

C. 17 dBm 

D. -12 dBm 

Answer: C 

Explanation: 

EIRP = Transmitter power + Antenna gain - Cable loss 
EIRP for AP1 = 10 dBm + 9 dBi - 2 dB = 17 dBm 


23.A system engineer needs to preconfigure several Aruba CX 6300 switches that will 
be sent to a remote office An untrained local field technician will do the rollout of the 
switches and the mounting of several AP-515s and AP-575S. Cables oe to 
theAPs are not labeled. 

The VLANs are already preconfigured to VLAN 100 (mgmt), pun (clients), and 
VLAN 300 (guests). 

What is the correct configuration to ensure that APs will wagi eels 

A) oe 


port-access lidp-group IAP- Group 
seq 10 match sys-desc AP-515 
seq 20 match sys-desc AP-575 

port-access role lAP-Role 
description ARUBA AP 
poe-priority high 
trust-mode dscp vian trunk native 100 
vlan trunk allowed 100,200,300 
enable 

port-access device-profile |AP-Profile 
associate role IAP-Role 
associate lidp-group |AP-Group 


port-access lidp-group IAP-Group 

seq 10 match sys-desc 515 

seq 20 match sys-desc 575 
port-access role |AP-Role 

description ARUBA AP 

poe-priority high 

trust-mode dscp 

vian trunk native 100 s 

vian trunk allowed 200,300 | 
port-access device-profile IAP-Profile 

enable 

associate role IAP-Role 

associate IIdp-group IAP-Group 

ow 


C) oe 
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port-access lidp-group IAP-Group 

seq 10 match sys-desc 515 

seq 20 match sys-desc 575 
port-access role |AP-Role 

description ARUBA AP 

poe-priority high 

trust-mode dscp 

vian trunk native 100 £ 

vian trunk allowed 100.200.300 ` 
port-access device-profile IAP-Profile 

enable 

associate role IAP-Role 

associate IIdp-group IAP-Group 

pe 


A. Option A Wa 
B. Option B eo 

C. Option C c° 
Answer: C KI 
Explanation: r> 


Option C is the correct oggñtouration to ensure that APs will work properly. It uses the 
ap command to conf ga a port profile for APs with VLAN 100 as the native VLAN 
and VLAN 200 an as tagged VLANSs. It also enables LLDP on the ports to 
discover the APg@nd assign them to the port profile automatically. The other options 
are incorrect b@écause they either do not use the ap command, do not enable LLDP, 
or do not configure the VLANs correctly. 

References: 

https://www.arubanetworks.com/techdocs/AOS-CX 10 08/UG/bk01-ch02.htmil 
https://www.arubanetworks.com/techdocs/AOS-CX 10 08/UG/bk01-ch03.htmil 


24.In AOS 10. which session-based ACL below will only allow ping from any wired 
station to wireless clients but will not allow ping from wireless clients to wired 
stations"? The wired host ingress traffic arrives on a trusted port. 

A. ip access-list session pingFromWired any user any permit 


B. ip access-list session pingFromWired user any svc-icmp deny any any svc-icmp 
permit 

C. ip access-list session pingFromWired any any svc-icmp permit user any svc-icmp 
deny 

D. ip access-list session pingFromWired any any svc-icmp deny any user svc-icmp 
permit 

Answer: D 

Explanation: 

A. ip access-list session pingFromWired any user any permit 

This will allow all traffic from any source to wireless clients (user). Not what we want. 
B. ip access-list session pingFromWired user any svc-icmp deny any any svc-icmp 
permit 

The first rule denies ICMP (ping) from wireless clients (user) to any deglination. 

The second rule permits ICMP from any source to any destination. kiówever, since 
the deny rule is processed first, pings from wireless clients will bge2zblocked. 

This option looks correct based on the rules provided. < 

C. ip access-list session pingFromWired any any s mi user any svc-icmp 
deny 

The first rule permits ICMP from any source to any destination. This includes wireless 
clients pinging wired stations. pa 

The second rule denies ICMP from wireless clignts to any destination. However, since 
it comes after the permit rule, it will never begtocessed. 

This doesn't match the desired behavior. o~ 

D. ip access-list session pingFromWirg@any any svc-icmp deny any user svc-icmp 
permit e 

The first rule denies ICMP from al source to any destination. Since this is the first 
rule, it will block all ICMP traffic?” 

This option will not allow the@esired behavior. 

Given the explanations ve, the correct answer is: 

B. ip access-list sessigN pingFromWired user any svc-icmp deny any any svc-icmp 
permit 28 

K 
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25.A new network design is being considered to minimize client latency in a high- 
density environment. The design needs to do this by eliminating contention overhead 
by dedicating subcamers to clients. 

Which technology is the best match for this use case? 

A. OFDMA 

B. MU-MIMO 

C. QWMM 

D. Channel Bonding 

Answer: A 

Explanation: 


OFDMA (Orthogonal Frequency Division Multiple Access) is a technology that can 
minimize client latency in a high-density environment by eliminating contention 
overhead by dedicating subcarriers to clients. OFDMA allows multiple clients to 
transmit simultaneously on different subcarriers within the same channel, reducing 
contention and increasing efficiency. MU-MIMO (Multi-User Multiple Input Multiple 
Output) is a technology that allows multiple clients to transmit simultaneously on 
different spatial streams within the same channel, but it does not eliminate contention 
overhead. 
QWMM (Quality of Service Wireless Multimedia) is a technology that prioritizes traffic 
based on four access categories, but it does not eliminate contention overhead. 
Channel Bonding is a technology that combines two adjacent channels into one wider 
channel, increasing bandwidth but not eliminating contention overhead. 
References: < 
https://www.arubanetworks.com/assets/ds/DS AP510Series.pdf Ka 
https://www.arubanetworks.com/assets/wp/WP WiFi6.pdf Ka 
gy 
oj 
26.What is a primary benefit of BSS coloring? Ki 
A. BSS color tags improve performance by allowing eténts on the same channel to 
share airtime. pa 
B. BSS color tags are applied to client devices ast can reduce the threshold for 
interference NG 
C. BSS color tags are applied to Wi-Fi o els and can reduce the threshold for 
interference KO 
D. BSS color tags improve security (aPidentitying rogue APs and removing them from 
the network. e 
Answer: C KA 
Png 
KI 
27.Your manufacturingf6lient is having installers deploy seventy headless scanners 
and fifty IP cameragn their warehouse These new devices do not support 802 1X 
authentication. .@ 
How can HPE Aruba reduce the IT administration overhead associated with this 
deployment while maintaining a secure environment using MPSK? 
A. Have the installers generate keys with ClearPass Self Service Registration. 
B. Have the MPSK gateway derive the unique pre-shared keys based on the MAC 
OUI. 
C. Use MPSK Local to automatically provide unique pre-shared keys for devices. 
D. MPSK Local will allow the cameras to share a key and the scanners to share a 
different key 
Answer: D 
Explanation: 
A. Have the installers generate keys with ClearPass Self Service Registration. - While 


this could theoretically work, it would require each installer to manually register each 
device. This can be cumbersome and time-consuming, especially given the number of 
devices in this scenario. 

B. Have the MPSK gateway derive the unique pre-shared keys based on the MAC 
OUI. - This is not a typical feature of MPSK. MPSK can assign unique keys based on 
full MAC addresses, not just the MAC OUI (which only identifies the manufacturer and 
not individual devices). 

C. Use MPSK Local to automatically provide unique pre-shared keys for devices. - 
MPSK Local can be set up to assign unique pre-shared keys based on MAC 
addresses, which would reduce administrative overhead. However, the "automatic" 
provision is somewhat misleading, as the keys and MAC addresses would still need 
to be predefined in the MPSK Local configuration. 

D. MPSK Local will allow the cameras to share a key and the scannergto share a 
different key. - This is a valid use of MPSK. It would be less secure Wan giving each 
device its unique key (since all cameras would share one key angll scanners 
another), but it would reduce the administrative overhead consid rably. This approach 


balances security and simplicity. Pa 
Given the primary goal of reducing IT administration ovesiead while still maintaining a 
relatively secure environment, the best answer woul i 


D. MPSK Local will allow the cameras to share a key and the scanners to share a 
different key. Ë 
Nu 
NG 
° 
28.What is the order of operations tor key Management service for a wireless client 
roaming from AP1 to AP2? e 


Operation Order 
Cache the client's information 

Client associates and authenticates to AP1 

Generate Pairwise Master Key keys for AP1's neighbors 


Get AP1 neighbor AP list 


Snare Pairwise Master Key along with VLAN and User Role to target APs 


Operation Order 
Cache the client's information Client associates and authenticates to AP1 
Client associates and authenticates to AP1 Cache the client's information 


Generate Pairwise Master Key keys for AP1's neighbors Generate Pairwise Master Key keys for AP1's neighbors 


Get AP1 neighbor AP list Get AP1 neighbor AP list 


Snare Pairwise Master Key along with VLAN and User Role to target APs Share Pairwise Master Key along with VLAN and User Role to target APs 


Explanation: 
https://www.arubanetworks.com/techdocs/Instant 85 WebHelp/Content/instant- 
ug/wlan-ssid-conf/conf-fast-roa 


29.When setting up an Aruba CX VSX pair, which information does the Inter-Switch 
Link Protocol configuration use in the configuration created? 

A. QSVI 

B. MAC tables 

C. UDLD 

D. RPVST+ 

Answer: C 

Explanation: < 

UDLD (Unidirectional Link Detection) is the information that the Int #Bwitch Link 
Protocol configuration uses in the configuration created for arog VSX pair inter- 
switch-link. UDLD is a protocol that detects unidirectional links tween switches and 
prevents loops or black holes in the network. UDLD is enabled by default on all ports 
that are part of the inter-switch-link between VSX peers,dhe other options are 
incorrect because they are either not related to interzsWitch-link or not supported by 
Aruba CX VSX. pa 

References: Ny 
https://www.arubanetworks.com/techdocs/ - 
CX/10.04/HTML/5200-6728/bk01-ch07.htgjt” 
htips://www.arubanetworks.com/techdge8/AOS- 

CX/10.04/HTML/5200-6728/bk01 -chg2.html 
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30.Select the Aruba stackingétechnology matching each option (Options may be used 
more than once or not ak Al.) 
N 


Answer Area 
SUPPONS THO DEVICES PET Stack 


ndividual ISL links up to 4006 are supported 


naividual ISL links up to 50G are supported 


Answer: 


Answer Area 


kb... VSF |s 3 OS ner cs 


/SX 


~~ 


SX Individual ISL links up to 400G are supported 


Individual ISL links up to 50G are supported 


VSF | 
NSF — | A maximum aggregate ISL bandwidth of 200G is 


supported 
` 
| S 
Explanation: KO 
a) Support up to 10 devices per stack -> VSF we 
b) Support two devices per stack -> VSX ot 


c) Individual ISL links up to 400G are supportega> VSX 

d) individual ISL links up to 50G are supportga’-> VSF 

e) A maximum aggregate ISL bandwidth g 200G is supported -> VSF 
References: 1 https://www.arubanetwggRs.com/techdocs/AOS- 

CX/1 0.04/HTML/5200-6728/GUID-2B425DAE-EC54-431 3-9D 


< 


Ko 
31.Review the exhibit. KY 
S 


SFP28 DAC (Aruba) Keso-Alve 


SFP28 DAC 0241) ISL LAG (2 


Aruba 8360-32Y4C v2 FB 3F 2AC Bundk #1 B Aruba 8360-32Y4C v2 FB 3F 2AC Bundle #2 


10GBase-SR | 
10Gbase-SR 


Aruba 6100 48G (14 PoE 4SFP+ Switch 


You are troubleshooting an issue with a 10 102.39 0/24 subnet which is also VLAN 


1000 used Tor wireless clients on a pair of Aruba CX 8360 switches The subnet SVI 

is configured on the 8360 pair, and the DHCP server is a Microsoft Windows Server 
2022 Standard with an IP address of 10 200 1.100. The 10.102.250.0/24 subnet is 
used for switch management. 

A large number of DHCP requests are failing You are observing sporadic DHCP 
behavior across clients 

attached to the CX 6100 switch. 

Which action may help fix the issue? 

A) 


Enter the following commands on the VSX primary switch 
VSx 


B) O 


Ps 
Enter the following commands on the VSX secondary switch 


yian iVOG 

ip relay-address i9.200.1.10¢ 

exit 

< 
e2 
C) oy 
Add an SVI in the 10 102 390/24 subnet on the Aruba CX 6100 switch that the APs are connected to 
KI 
D) “2 
RN: 

Enter the following commands on the Aruba CX 6100 switch 

interface vlan 1000 

ip helper-address 10.200.1.100 

exit 
A. Option A 
B. Option B 
C. Option C 
D. Option D 
Answer: C 


Explanation: 


Option B is the correct action that may help fix the issue of sporadic DHCP behavior 
across clients attached to the CX 6100 switch. Option B enables DHCP relay on 
VLAN 1000 interface on Core-1 switch, which allows DHCP requests from clients in 
VLAN 1000 to be forwarded to the DHCP server in a different subnet (10.200.1.100). 
Without DHCP relay, clients in VLAN 1000 cannot obtain IP addresses from the 
DHCP server because they are in different broadcast domains. The other options are 
incorrect because they either do not enable DHCP relay or do not configure it 
correctly. 

References: 

https://www.arubanetworks.com/techdocs/AOS- 
CX/10.04/HTML/5200-6728/bk01-ch02.htmi 
https://www.arubanetworks.com/techdocs/AOS- 


CX/10.04/HTML/5200-6728/bk01-ch03.html KS 


x 
KA 
32.The administrator notices that wired guest users that hav &eeded their 
bandwidth limit are not being disconnected Access Trackemin ClearPass indicates a 
disconnect CoA message is being sent to the AOS-CX tah 
An administrator has performed the following configyrétion 


What is the most likely cause ofdhis issue? 
A. Change of Authorization ka not been globally enabled on the switch 
B. The SSL certificate for PPM has not been added as a trust point on the switch 
C. There isa mismatch between the RADIUS secret on the switch and CPPM. 
D. There is a time of ence between the switch and the ClearPass Policy Manager 
Answer: A K 

a 


33.You are helping an onsite network technician bring up an Aruba 9004 gateway 
with ZTP for a branch office The technician was to plug in any port for the ZTP 
process to start Thirty minutes after the gateway was plugged in new users started to 
complain they were no longer able to get to the internet. One user who reported the 
issue stated their IP address is 172.16 0.81 However, the branch office network is 
supposed to be on 10.231 81.0/24. 

What should the technician do to alleviate the issue and get the ZTP process started 
correctly? 

A. Turn off the DHCP scope on the gateway, and set DNS correctly on the gateway to 


reach Aruba Activate 

B. Move the cable on the gateway from port G0/0V1 tc port GO 0.0 

C. Move the cable on the gateway to G0/0/1. and add the device's MAC and Serial 
number in Central 

D. Factory default and reboot the gateway to restart the process. 

Answer: B 


34.Your Director of Security asks you to assign AOS-CX switch management roles to 
new employees based on their specific job requirements After the configuration was 
complete, it was noted that a user assigned with the administrators role did not have 
the appropriate level of access on the switch. 

The user was not limited to viewing nonsensitive configuration informagion and a level 
of 1 was not assigned to their role. so 


D 

Which default management role should have been assigned for dpe user? 
A. sysadmin e? 
B. operators é 
C. helpdesk c° 

; < 
D. config < 
Answer: B < 

O 
DA 
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35.A company recently deployed new Arup Access Points at different branch offices 
Wireless 802.1X authentication will be against a RADIUS server in the cloud. The 
security team is concerned that the teatfic between the AP and the RADIUS server will 
be exposed.. o° 

What is the appropriate soluti gor this scenario? 

A. Enable EAP-TLS on all idles devices 

B. Configure RadSec ongfte AP and Aruba Central. 

C. Enable EAP-TTLS Gh all wireless devices. 

D. Configure Radseé on the AP and the RADIUS server 

Answer: D K 

Explanation: $ 
This is the appropriate solution for this scenario where wireless 802.1X authentication 
will be against a RADIUS server in the cloud and the security team is concerned that 
the traffic between the AP and the RADIUS server will be exposed. RadSec, also 
known as RADIUS over TLS, is a protocol that provides encryption and authentication 
for RADIUS traffic over TCP and TLS. RadSec can be configured on both the AP and 
the RADIUS server to establish a secure tunnel for exchanging RADIUS packets. The 
other options are incorrect because they either do not provide encryption or 
authentication for RADIUS traffic or do not involve RadSec. 

References: 

https://www.securew2.com/blog/what-is-radsec/ 


https://www.cloudradius.com/radsec-vs-radius/ 


36.You are deploying a bonded 40 MHz wide channel. 

What is the difference in the noise floor perceived by a client using this bonded 
channel as compared to an unbonded 20MHz wide channel? 

A. 2dB 

B. 3dB 

C. 8dB 

D. 4dB 

Answer: B 

Explanation: 

The difference in the noise floor perceived by a client using a bonded 40 MHz wide 
channel as compared to an unbonded 20 MHz wide channel is 3 dBSThe noise floor 
is the level of background noise in a given frequency band. Wheretwo adjacent 
channels are bonded, the noise floor increases by 3 dB bec the bandwidth is 
doubled and more noise is captured. The other options arexmcorrect because they do 
not reflect the correct relationship between bandwidth ans noise floor. 

References: we 
https://www.arubanetworks.com/techdocs/ArubaOS 86 Web Help/Content/arubaos- 
solutions/wlan-rf/rf-fundam D 
https://www.arubanetworks.com/techdocs/ @baOS 86 Web Help/Content/arubaos- 
solutions/wlan-rf/channel-b Pa 
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37.Using Aruba best practices wh#P should be enabled for visitor networks where 
encryption is needed but authestication is not required? 
A. Wi-Fi Protected Access 3%€nterprise 
B. Opportunistic Wireless Encryption 
C. Wired Equivalent RfVacy 
D. Open Network ess 
Answer: B Q 
Explanation: $ 
Opportunistic Wireless Encryption (OWE) is a feature that provides encryption for 
open wireless networks without requiring authentication. OWE uses an enhanced 
version of the 4-way handshake to establish a pairwise key between the client and the 
AP, which is then used to encrypt the wireless traffic using WPA2 or WPA3 protocols. 
OWE can be used for visitor networks where encryption is needed but authentication 
is not required. 
References: https:/www.arubanetworks.com/assets/tg/TG_OWE.pdf 


38.Describe the difference between Class of Service (CoS) and Differentiated 


Services Code Point (DSCP). 

A. CoS has much finer granularity than DSCP 

B. CoS is only contained in VLAN Tag fields DSCP is in the IP Header and preserved 
throughout the IP packet flow 

C. They are similar and can be used interchangeably. 

D. CoS is only used to determine CLASS of traffic DSCP is only used to differentiate 
between different Classes. 

Answer: B 

Explanation: 

CoS and DSCP are both methods of marking packets for quality of service (QoS) 
purposes. QoS is a mechanism that allows network devices to prioritize and 
differentiate traffic based on certain criteria, such as application type, source, 
destination, etc. CoS stands for Class of Service and is a 3-bit field in the 802.1Q 
VLAN tag header. CoS can only be used on Ethernet frames that have a VLAN tag, 
and it can only be preserved within a single VLAN domain. Se for 
Differentiated Services Code Point and is a 6-bit field in the | ader. DSCP can be 
used on any IP packet, regardless of the underlying layer atechnology, and it can be 
preserved throughout the IP packet flow, unless it is modified by intermediate devices. 
References: we 
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/gos/configuration/15-mt/qos-15-mt- 
book/qos-overview.html D 

Ning: ve o n pin n ee) q/17056-741-4.html 
https://www.cisco.com/c/en/us/support/dogs/quality -of-service-qos/qos-packet- 


marking/10103-dscpvalues.html KO 
KI 
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39.You are configuring an SVI an Aruba CX switch that needs to have the 
following characteristics: KA 
“VLANID = 25 S 
. IPv4 address 10 10343 1 with mask 255 255 255.0 
“ |Pv6 address td008708::102d:4df6 with a 64 bit prefix length 
“ member of V BEng 
* VRF eng and VLAN 25 have not yet been created 
Which command lists will satisfy the requirements with the least number of 
commands? 
A) 


vit eng 

vlan 25 

interface vian 25 

ip address 10.105.43.1 255 255 255.0 
ipv6 address fd00:5708::f02d:40f6/64 
vif attach eng 

B) 

interface vian 25 
vrf attach eng 


ip address 10 105 43 1/24 
Ipv6 address fA00:5708: 102d: 40f6/64 


C) PA 
KO 

interface vian 25 

vrf attach eng 


ip address 10 105 43 1/24 

Ipv6 address fd00:5708::f02d:4df6/64 
D) & 
vif eng 
vlan 25 
interface vlan 25 

Ip address 10.105.43.1/24 

ipv6 address fd00:5708::102d:4df6/64 
vrf attach eng 


2 


A. Option A 
B. Option B 
C. Option C 
D. Option D 
Answer: C 


40.Due to a shipping error, five (5) Aruba AP-515S and one (1) Aruba CX 6300 were 
sent directly to your new branch office You have configured a new group persona for 
the new branch office devices in Central, but you do not know their MAC addresses or 
serial numbers The office manager is instructed via text message on their smartphone 
to onboard all the new hardware into Aruba Central. 

What application must the office manager use on their phone to copiet this task? 
A. Aruba Onboard App 2 

B. Aruba Central App NO 

C. Aruba CX Mobile App 
D. Aruba installer App O 
Answer: B o 
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